Security

Several critical security vulnerabilities were recently discovered by Bartlomiej Balcerek and Mateusz Stahl at the Wroclaw Centre for Networking and Supercomputing. Details regarding these vulnerabilities are provided below, and this stable Galaxy release contains fixes for those vulnerabilities. The Galaxy Team strongly encourages Galaxy server administrators to update their Galaxy servers immediately.

Because of this disclosure, the Galaxy Team performed an extensive audit to identify and fix security issues. Most notably, a large amount of work was done to secure the Galaxy server against cross-site scripting attacks.

Unless otherwise mentioned, the following security fixes have been applied to the current (January 13, 2015) and previous (October 6, 2014) Galaxy releases, identified by the latest_2015.01.13 and latest_2014.10.06 tags respectively.

Arbitrary code execution

A vulnerability was discovered that would allow a malicious person to execute arbitrary code on a Galaxy server. The vulnerability was due to gaps in Galaxy's command line template parameter sanitization. Although all form fields were sanitized for shell metacharacters, some other parameters that might be provided to tools on the command line (such as the input dataset name) were not. Because of this, dataset names and other fields could be constructed to exploit this vulnerability.

Due to the severity of this vulnerability, the fix for it has been applied back to the previous releases beginning with the January 13, 2013 release. The fix can be obtained by executing hg pull && hg update latest_<YYYY>.<MM>.<DD>, replacing the date with the date of the release currently in use.

Cross-site scripting

Many templates used in the Galaxy server did not properly sanitize user input, which would allow for cross-site scripting (XSS) attacks. In this form of attack, a malicious person can create a URL which, when opened by a Galaxy user or administrator, would allow the malicious user to execute arbitrary Javascript and gain access to the user or administrator’s Galaxy account.

OpenID redirect

Additional security has been added to the OpenID authentication methods to prevent a malicious person from redirecting a user to a site other than the Galaxy server from which the request originated. This issue did not cause the exposure of login credentials or provide a malicious person access to a user’s account, but it could be used to trick a user into entering their credentials on a fake Galaxy server.

Mobile Galaxy

Galaxy’s mobile interface, in addition to being vulnerable to XSS attacks, has not been updated with the standard UI, and was largely unusable. Because of this, the mobile interface has been disabled.

Highlights

IPython Integration

Thanks to the awesome work of community members Björn Grüning and Eric Rasche, Galaxy now features integration with the popular IPython project. The Galaxy-IPython project has been merged into Galaxy core and made into a generic plugin framework of interactive environments based on Docker. The IPython plugin allows users to launch and securely connect to an IPython server running in a Docker container, fetch data from their Galaxy history, use the full-feature IPython runtime environment to analyze it, and finally push results back into their history. A YouTube video of the plugin in action can be found here. Information on enabling this plugin is linked to via this Trello card. Interactive Environments (IEs) need to be set up.

Tool Form Upgrade (for Beta Testing)

Galaxy's tool form forces pages to reload entirely in response to many user interactions. This limits Galaxy's responsiveness and can result in a cumbersome user experience when entering complex tool configurations. In Galaxy's development branch, this tool form has been redesigned and modernized to address these and other limitations. This new tool form will become the default with the next release - but we are hoping tool author's and power users enable it and provide feedback during this release cycle in order to ensure it is working ideally when it becomes the default. The tool form can be enabled by setting toolform_upgrade=True in Galaxy's config/galaxy.ini.

Enhancement to configuration that permits the resolution of relative paths in tool data configuration and .loc files. The string ${__HERE__} will be expanded out to the directory the file (XML configuration or loc) currently resides in. Ticket includes details/use cases/dependencies. https://trello.com/c/5VQOWgld

Added a javascript validation for username and email changes. A user account was deactivated upon an email address update when no prior activation token existed, requiring account activation, but no notice was given to the user. Now, if no token present (legacy auto-validation), the email must be verified and upon login, the email to do so is sent. Plus minor tunings. https://trello.com/c/WTSZtxuDhttps://trello.com/c/HJsfz3no

Added blank string for host_url to tooltip rendering when the value is unavailable. Avoids an occasional issue that comes up in the Workflow editor. Thank you Kyle Ellrott. https://trello.com/c/g5xNIYGS

Updated Docker to run with 'auto-remove' by default (—rm} flag). Containers are automatically removed, which prevents a collection of old work containers from building up. Thanks Kyle Ellrott. https://trello.com/c/uSyg8OYN

Updated Docker to run with 'set user' by default (docker_set_user = true}). This change updates the ownership of commands and any results to be non-root. Thanks again to Kyle Ellrott. https://trello.com/c/0FO0UOe7

Added tool_library_dir to tool_conf parser (tool_dir was already added). For tool_library_dir, the parser scans the child directories of the given directory, and loads the .xml files inside of them. This permits the loading of all the .xml tool definitions within a the same base directory, included nested directories. https://trello.com/c/OJelgFPu

Allow Model objects to be loaded when they have problematic JSON values. Now, when such a value is encountered, it is substitute with None. https://trello.com/c/9lvIKGXa

Adjusted data column parameters that pointed to »multiple« data parameters. Avoids a server side exception while it builds, validates, and uses a meaningful set of columns. https://trello.com/c/0CCy6mtk

Added a the tool package download function to the API. Update also resolves a few issues in the packaging code. Thank you Kyle Ellrott. https://trello.com/c/7cE1oqmM

Revised SRMA tool wrapper to that it requires at least 2048 MB of memory and reset the tag VALIDATION_STRINGENCY=LENIENT (important for many use cases). Contributed by Lance Parsons. https://trello.com/c/MUb4zETD

Move handler startup to immediately follow full creation and association of a JobManager. Resolves error where the initialization of the job handler's thread finds that the app has no manager yet. https://trello.com/c/7P5dBqdu

Improved DatasetMatcher to now check if a Dataset’s hda is of the correct format before attempting to perform filtering. This ensures that the correct metadata attributes are intact, with the goal of clarifying job failure reasons (as some attributes may not exist for an unexpected format). https://trello.com/c/wKuW6o1R

Improved handling in the function DynamicOptions AdditionalValueFilter when Dataset columns have not been assigned. Logic now interprets a data’s value instead of failing due to a missing/unassigned name (column label) metadata attribute. https://trello.com/c/kPFaKDlv

Improved handling of the Slurm job CANCELLED state. This improves error reporting, e.g. by clearly stating when a job fails because it exceeds memory quotas versus being cancel by the administrator for other reasons. https://trello.com/c/GA29VWGL

Corrected a boolean parameter handling issue that occurred during a Workflow’s runtime execution. ’’Incorporating this fix is critical for proper Workflow execution.’’. The problem manifested as certain tool parameters executing »in the reverse state« when used within Workflows (exclusively, and never when tools were executed directly outside of Workflows). A tool »re-run« form will reveal the issue and various failure errors are known to have resulted. If a prior successful Workflow now fails, and your instance as not yet included in this changeset yet, the issue could likely be the root cause of Workflow tool errors. The problem impacted the Main public Galaxy instance at http://usegalaxy.org for a short time window in November. The fix was applied to the public instance and added to the Stable branch under latest_2014.10.06 upon discovery/resolution, at a priority, during this same time frame. Reported by Andrea Pinna. https://trello.com/c/zdHaxzSnhttps://trello.com/c/sXUwBJgb

News and Community

We would like to send a special acknowledgement along with a huge Thank YOU!! (or as our own Dave Clements often states informally, "Hugs!") to our Intergalactic Utilities Commission members. Our project most definitely would not be the same without the IUC's unwavering and dedicated support, contributions, and suggestions throughout the years. Everyone in the Galaxy community benefits directly, in a multitude of ways, that are too far reaching to list out fully in this quick note. Curious about who is involved and the key role this community-driven group has in improving and maintaining the Tool Shed and their owned/reviewed Repositories (in addition to other important areas)? Learn more about the members and future/active/prior projects and goals here....

Explore the latest Galaxy Project news from our team that covers recent Events, Publications, New Tools, and much more in our monthly project reports published in our wiki under Galaxy Updates.

Tool Shed Contributions. This is a brand-new area previously included directly in the Galaxy Updates news letters. Watch as this area develops as we work to summarize new repository updates in a concise and organized format. Feedback about how you would like to see this evolve (including general interest) is welcome. We will be posting a comment/feedback post at Galaxy Biostar to provide an opportunity to for our community to discuss. A summary will be added to Trello once feedback is gathered for review and action. (A link to that post will be updated and added right here in this wiki within the next week - is truly a brand-new endeavor to break this out as a distinct wiki resource!!).

If you are new to Galaxy or wish to connect with our project more in 2015, these key links can help keep you updated about our activities and updates in real time (or at your own pace). Galaxy is a community project we would like to remind all about of the resources and venues available for news and support. Most reading our News Briefs are familiar with Development, Cloud, Local, and other deployment resources such as Admin plus Tool and Tool Repository documenation, but below is a short list of even more places to visit and get connected:

Teach resources are an exciting, growing, and key area for expansion throughout 2015, check out what is new!

Follow current development real-time and create, comment, and vote on active Trello tickets. As an open source project, we very much welcome community involvement. Not sure how to get involved or how to create an account? We have guidance available here..., that includes a form to aid with quick ticket submission.

Community resources. Overview about how we value and seek your input. Have your voice heard and get involved!

Galaxy Project home page (hub for all resources, those listed above and more!)

See our wiki's right side bar menu → for more links to areas of interest to you

Our wiki is absolutely open for community contributions and improvements. We have plans in place for documentation updates in the upcoming year, but we greatly value the knowledge and insight shared through this resource by all that have ideas to make it even better. Let's work together to expand this wiki to meet the needs of the upcoming year as our project matures, as new research/development areas come up, and as Galaxy grows and evolves with new features and enhancements! Create a wiki account and contact us at "outreach at galaxyproject dot org" to become a wiki editor.